UK online shoppers face more identity checks as new anti-fraud rules kick in

Online shoppers in the UK can expect more identity checks – and probably more card-declined messages – over the coming weeks, as retailers get ready for new anti-fraud rules that come into force on 14 March.

Online shoppers in the UK can expect more identity checks – and probably more card-declined messages – over the coming weeks, as retailers get ready for new anti-fraud rules that come into force on 14 March.

Buyers have already started seeing more requests to verify their ID as payments providers and retailers adopt the new strong customer authentication (SCA) rules.

Under the changes, before a retailer can accept an electronic (online) payment it will have to verify that the customer is who they claim to be. The measures are similar to those already faced by people logging into online banking.

While most low-value retail purchases will go ahead as before, with checks carried out in the background, shoppers buying more expensive items online will have to input a password, a pin or a one-time-passcode they have been sent via a text or landline, or log into their banking app and approve the purchase.

The rules, which have been introduced by the Financial Conduct Authority (FCA), were supposed to come into force a year ago but were delayed to give retailers more time to adapt. The legislation came out of the European Banking Authority, and was adopted into UK law before Brexit.

It will apply to debit and credit card purchases, and will have the biggest impact on those making what are deemed to be the riskiest purchases. The new rules do not apply if you buy something over the phone.

High-value purchases, or those outside a buyer’s normal spending habits or transacted on a previously unused device, are likely to prompt the extra security check.

Mastercard says it expects about 25% of online transactions to require some form of extra verification by the customer after 14 March. Until now, only 1% of online purchases triggered the need to input a password, or similar.

Under the EU rules, payments under €30 (£25) are considered low value but there are exemptions that mean that not all spending above that level will prompt SCA.

Similarly, multiple low-value payments could prompt a request for verification.

If you have already noticed it happening, it is because card issuers began declining some noncompliant transactions on 18 January as part of the “ramp-up” to SCA’s full implementation.

There have already been some anecdotal reports of payments being declined. Before Christmas the FCA warned in an update that merchants that are not able to fully comply with anti-fraud requirements “risk their customers’ online transactions being declined”.

Jana Mackintosh, the managing director of payments at UK Finance, which represents the banking industry, says: “Fraud is a growing problem, with criminals stealing more than £750m in the first half of 2021 alone. That is why it is more important than ever that additional protections like SCA are put in place. For retailers, implementing SCA will provide customers peace of mind that payment processes are more secure.”

In 2019, the consumer group Which? warned that those without a mobile phone, or a signal at home, risked being disfranchised by the changes.

The FCA appears to have taken this on board and has told the payments firms that it expects them to develop SCA solutions that work for all groups of consumers.

“This means that you may need to provide several different methods of authentication for your customers. This includes methods that don’t rely on mobile phones, to cater for consumers who don’t have, or don’t want to use, a mobile phone,” it says.

The relatively small group of people who shop online but do not use a mobile phone will have to choose to verify their ID in some other way. Those who have a smartphone but don’t receive a signal at home are advised to download their bank’s app, which will work over wifi.

Nationwide building society is typical in that it has told its customers who do not use its banking app that they can opt to receive a code via a message to a landline, or by using their card reader and debit card.

It has advised customers to make sure it has the correct mobile number, email address and landline, “so you’ll get any authentication codes we send quickly, and you won’t get interrupted while shopping online”.